From cc97968e96e9858021ea01f7b3b7d20d2a0242da Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 9 Nov 2025 13:18:44 +0900 Subject: [PATCH] 6.6-stable patches added patches: bluetooth-mgmt-fix-oob-access-in-parse_adv_monitor_pattern.patch drm-amd-display-enable-mst-when-it-s-detected-but-yet-to-be-initialized.patch drm-sched-fix-deadlock-in-drm_sched_entity_kill_jobs_cb.patch lib-crypto-curve25519-hacl64-fix-older-clang-kasan-workaround-for-gcc.patch rtc-rx8025-fix-incorrect-register-reference.patch scsi-ufs-ufs-pci-fix-s0ix-s3-for-intel-controllers.patch smb-client-fix-potential-uaf-in-smb2_close_cached_fid.patch smb-client-validate-change-notify-buffer-before-copy.patch virtio-net-fix-received-length-check-in-big-packets.patch x86-microcode-amd-add-more-known-models-to-entry-sign-checking.patch --- ...-access-in-parse_adv_monitor_pattern.patch | 60 ++++++++ ...s-detected-but-yet-to-be-initialized.patch | 63 ++++++++ ...ock-in-drm_sched_entity_kill_jobs_cb.patch | 119 +++++++++++++++ ...older-clang-kasan-workaround-for-gcc.patch | 37 +++++ ...025-fix-incorrect-register-reference.patch | 33 +++++ ...ci-fix-s0ix-s3-for-intel-controllers.patch | 138 ++++++++++++++++++ queue-6.6/series | 10 ++ ...tential-uaf-in-smb2_close_cached_fid.patch | 95 ++++++++++++ ...ate-change-notify-buffer-before-copy.patch | 43 ++++++ ...received-length-check-in-big-packets.patch | 79 ++++++++++ ...-known-models-to-entry-sign-checking.patch | 36 +++++ 11 files changed, 713 insertions(+) create mode 100644 queue-6.6/bluetooth-mgmt-fix-oob-access-in-parse_adv_monitor_pattern.patch create mode 100644 queue-6.6/drm-amd-display-enable-mst-when-it-s-detected-but-yet-to-be-initialized.patch create mode 100644 queue-6.6/drm-sched-fix-deadlock-in-drm_sched_entity_kill_jobs_cb.patch create mode 100644 queue-6.6/lib-crypto-curve25519-hacl64-fix-older-clang-kasan-workaround-for-gcc.patch create mode 100644 queue-6.6/rtc-rx8025-fix-incorrect-register-reference.patch create mode 100644 queue-6.6/scsi-ufs-ufs-pci-fix-s0ix-s3-for-intel-controllers.patch create mode 100644 queue-6.6/smb-client-fix-potential-uaf-in-smb2_close_cached_fid.patch create mode 100644 queue-6.6/smb-client-validate-change-notify-buffer-before-copy.patch create mode 100644 queue-6.6/virtio-net-fix-received-length-check-in-big-packets.patch create mode 100644 queue-6.6/x86-microcode-amd-add-more-known-models-to-entry-sign-checking.patch diff --git a/queue-6.6/bluetooth-mgmt-fix-oob-access-in-parse_adv_monitor_pattern.patch b/queue-6.6/bluetooth-mgmt-fix-oob-access-in-parse_adv_monitor_pattern.patch new file mode 100644 index 0000000000..39c1a68af7 --- /dev/null +++ b/queue-6.6/bluetooth-mgmt-fix-oob-access-in-parse_adv_monitor_pattern.patch @@ -0,0 +1,60 @@ +From 8d59fba49362c65332395789fd82771f1028d87e Mon Sep 17 00:00:00 2001 +From: Ilia Gavrilov +Date: Mon, 20 Oct 2025 15:12:55 +0000 +Subject: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() + +From: Ilia Gavrilov + +commit 8d59fba49362c65332395789fd82771f1028d87e upstream. + +In the parse_adv_monitor_pattern() function, the value of +the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). +The size of the 'value' array in the mgmt_adv_pattern structure is 31. +If the value of 'pattern[i].length' is set in the user space +and exceeds 31, the 'patterns[i].value' array can be accessed +out of bound when copied. + +Increasing the size of the 'value' array in +the 'mgmt_adv_pattern' structure will break the userspace. +Considering this, and to avoid OOB access revert the limits for 'offset' +and 'length' back to the value of HCI_MAX_AD_LENGTH. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: db08722fc7d4 ("Bluetooth: hci_core: Fix missing instances using HCI_MAX_AD_LENGTH") +Cc: stable@vger.kernel.org +Signed-off-by: Ilia Gavrilov +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + include/net/bluetooth/mgmt.h | 2 +- + net/bluetooth/mgmt.c | 6 +++--- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/include/net/bluetooth/mgmt.h ++++ b/include/net/bluetooth/mgmt.h +@@ -774,7 +774,7 @@ struct mgmt_adv_pattern { + __u8 ad_type; + __u8 offset; + __u8 length; +- __u8 value[31]; ++ __u8 value[HCI_MAX_AD_LENGTH]; + } __packed; + + #define MGMT_OP_ADD_ADV_PATTERNS_MONITOR 0x0052 +--- a/net/bluetooth/mgmt.c ++++ b/net/bluetooth/mgmt.c +@@ -5358,9 +5358,9 @@ static u8 parse_adv_monitor_pattern(stru + for (i = 0; i < pattern_count; i++) { + offset = patterns[i].offset; + length = patterns[i].length; +- if (offset >= HCI_MAX_EXT_AD_LENGTH || +- length > HCI_MAX_EXT_AD_LENGTH || +- (offset + length) > HCI_MAX_EXT_AD_LENGTH) ++ if (offset >= HCI_MAX_AD_LENGTH || ++ length > HCI_MAX_AD_LENGTH || ++ (offset + length) > HCI_MAX_AD_LENGTH) + return MGMT_STATUS_INVALID_PARAMS; + + p = kmalloc(sizeof(*p), GFP_KERNEL); diff --git a/queue-6.6/drm-amd-display-enable-mst-when-it-s-detected-but-yet-to-be-initialized.patch b/queue-6.6/drm-amd-display-enable-mst-when-it-s-detected-but-yet-to-be-initialized.patch new file mode 100644 index 0000000000..b4c4e2fa15 --- /dev/null +++ b/queue-6.6/drm-amd-display-enable-mst-when-it-s-detected-but-yet-to-be-initialized.patch @@ -0,0 +1,63 @@ +From 3c6a743c6961cc2cab453b343bb157d6bbbf8120 Mon Sep 17 00:00:00 2001 +From: Wayne Lin +Date: Wed, 5 Nov 2025 10:36:31 +0800 +Subject: drm/amd/display: Enable mst when it's detected but yet to be initialized + +From: Wayne Lin + +commit 3c6a743c6961cc2cab453b343bb157d6bbbf8120 upstream. + +[Why] +drm_dp_mst_topology_queue_probe() is used under the assumption that +mst is already initialized. If we connect system with SST first +then switch to the mst branch during suspend, we will fail probing +topology by calling the wrong API since the mst manager is yet to +be initialized. + +[How] +At dm_resume(), once it's detected as mst branc connected, check if +the mst is initialized already. If not, call +dm_helpers_dp_mst_start_top_mgr() instead to initialize mst + +V2: Adjust the commit msg a bit + +Fixes: bc068194f548 ("drm/amd/display: Don't write DP_MSTM_CTRL after LT") +Cc: Fangzhi Zuo +Cc: Mario Limonciello +Cc: Alex Deucher +Reviewed-by: Tom Chung +Signed-off-by: Wayne Lin +Signed-off-by: Alex Deucher +(cherry picked from commit 62320fb8d91a0bddc44a228203cfa9bfbb5395bd) +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -2993,6 +2993,7 @@ static int dm_resume(void *handle) + /* Do mst topology probing after resuming cached state*/ + drm_connector_list_iter_begin(ddev, &iter); + drm_for_each_connector_iter(connector, &iter) { ++ bool init = false; + + if (connector->connector_type == DRM_MODE_CONNECTOR_WRITEBACK) + continue; +@@ -3002,7 +3003,14 @@ static int dm_resume(void *handle) + aconnector->mst_root) + continue; + +- drm_dp_mst_topology_queue_probe(&aconnector->mst_mgr); ++ scoped_guard(mutex, &aconnector->mst_mgr.lock) { ++ init = !aconnector->mst_mgr.mst_primary; ++ } ++ if (init) ++ dm_helpers_dp_mst_start_top_mgr(aconnector->dc_link->ctx, ++ aconnector->dc_link, false); ++ else ++ drm_dp_mst_topology_queue_probe(&aconnector->mst_mgr); + } + drm_connector_list_iter_end(&iter); + diff --git a/queue-6.6/drm-sched-fix-deadlock-in-drm_sched_entity_kill_jobs_cb.patch b/queue-6.6/drm-sched-fix-deadlock-in-drm_sched_entity_kill_jobs_cb.patch new file mode 100644 index 0000000000..8d6d68a38b --- /dev/null +++ b/queue-6.6/drm-sched-fix-deadlock-in-drm_sched_entity_kill_jobs_cb.patch @@ -0,0 +1,119 @@ +From 487df8b698345dd5a91346335f05170ed5f29d4e Mon Sep 17 00:00:00 2001 +From: Pierre-Eric Pelloux-Prayer +Date: Tue, 4 Nov 2025 10:53:57 +0100 +Subject: drm/sched: Fix deadlock in drm_sched_entity_kill_jobs_cb +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pierre-Eric Pelloux-Prayer + +commit 487df8b698345dd5a91346335f05170ed5f29d4e upstream. + +The Mesa issue referenced below pointed out a possible deadlock: + +[ 1231.611031] Possible interrupt unsafe locking scenario: + +[ 1231.611033] CPU0 CPU1 +[ 1231.611034] ---- ---- +[ 1231.611035] lock(&xa->xa_lock#17); +[ 1231.611038] local_irq_disable(); +[ 1231.611039] lock(&fence->lock); +[ 1231.611041] lock(&xa->xa_lock#17); +[ 1231.611044] +[ 1231.611045] lock(&fence->lock); +[ 1231.611047] + *** DEADLOCK *** + +In this example, CPU0 would be any function accessing job->dependencies +through the xa_* functions that don't disable interrupts (eg: +drm_sched_job_add_dependency(), drm_sched_entity_kill_jobs_cb()). + +CPU1 is executing drm_sched_entity_kill_jobs_cb() as a fence signalling +callback so in an interrupt context. It will deadlock when trying to +grab the xa_lock which is already held by CPU0. + +Replacing all xa_* usage by their xa_*_irq counterparts would fix +this issue, but Christian pointed out another issue: dma_fence_signal +takes fence.lock and so does dma_fence_add_callback. + + dma_fence_signal() // locks f1.lock + -> drm_sched_entity_kill_jobs_cb() + -> foreach dependencies + -> dma_fence_add_callback() // locks f2.lock + +This will deadlock if f1 and f2 share the same spinlock. + +To fix both issues, the code iterating on dependencies and re-arming them +is moved out to drm_sched_entity_kill_jobs_work(). + +Cc: stable@vger.kernel.org # v6.2+ +Fixes: 2fdb8a8f07c2 ("drm/scheduler: rework entity flush, kill and fini") +Link: https://gitlab.freedesktop.org/mesa/mesa/-/issues/13908 +Reported-by: Mikhail Gavrilov +Suggested-by: Christian König +Reviewed-by: Christian König +Signed-off-by: Pierre-Eric Pelloux-Prayer +[phasta: commit message nits] +Signed-off-by: Philipp Stanner +Link: https://patch.msgid.link/20251104095358.15092-1-pierre-eric.pelloux-prayer@amd.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/scheduler/sched_entity.c | 34 +++++++++++++++++-------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +--- a/drivers/gpu/drm/scheduler/sched_entity.c ++++ b/drivers/gpu/drm/scheduler/sched_entity.c +@@ -163,26 +163,15 @@ int drm_sched_entity_error(struct drm_sc + } + EXPORT_SYMBOL(drm_sched_entity_error); + ++static void drm_sched_entity_kill_jobs_cb(struct dma_fence *f, ++ struct dma_fence_cb *cb); ++ + static void drm_sched_entity_kill_jobs_work(struct work_struct *wrk) + { + struct drm_sched_job *job = container_of(wrk, typeof(*job), work); +- +- drm_sched_fence_scheduled(job->s_fence, NULL); +- drm_sched_fence_finished(job->s_fence, -ESRCH); +- WARN_ON(job->s_fence->parent); +- job->sched->ops->free_job(job); +-} +- +-/* Signal the scheduler finished fence when the entity in question is killed. */ +-static void drm_sched_entity_kill_jobs_cb(struct dma_fence *f, +- struct dma_fence_cb *cb) +-{ +- struct drm_sched_job *job = container_of(cb, struct drm_sched_job, +- finish_cb); ++ struct dma_fence *f; + unsigned long index; + +- dma_fence_put(f); +- + /* Wait for all dependencies to avoid data corruptions */ + xa_for_each(&job->dependencies, index, f) { + struct drm_sched_fence *s_fence = to_drm_sched_fence(f); +@@ -210,6 +199,21 @@ static void drm_sched_entity_kill_jobs_c + dma_fence_put(f); + } + ++ drm_sched_fence_scheduled(job->s_fence, NULL); ++ drm_sched_fence_finished(job->s_fence, -ESRCH); ++ WARN_ON(job->s_fence->parent); ++ job->sched->ops->free_job(job); ++} ++ ++/* Signal the scheduler finished fence when the entity in question is killed. */ ++static void drm_sched_entity_kill_jobs_cb(struct dma_fence *f, ++ struct dma_fence_cb *cb) ++{ ++ struct drm_sched_job *job = container_of(cb, struct drm_sched_job, ++ finish_cb); ++ ++ dma_fence_put(f); ++ + INIT_WORK(&job->work, drm_sched_entity_kill_jobs_work); + schedule_work(&job->work); + } diff --git a/queue-6.6/lib-crypto-curve25519-hacl64-fix-older-clang-kasan-workaround-for-gcc.patch b/queue-6.6/lib-crypto-curve25519-hacl64-fix-older-clang-kasan-workaround-for-gcc.patch new file mode 100644 index 0000000000..8cc40eb577 --- /dev/null +++ b/queue-6.6/lib-crypto-curve25519-hacl64-fix-older-clang-kasan-workaround-for-gcc.patch @@ -0,0 +1,37 @@ +From 2b81082ad37cc3f28355fb73a6a69b91ff7dbf20 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 3 Nov 2025 12:11:24 -0700 +Subject: lib/crypto: curve25519-hacl64: Fix older clang KASAN workaround for GCC + +From: Nathan Chancellor + +commit 2b81082ad37cc3f28355fb73a6a69b91ff7dbf20 upstream. + +Commit 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with +clang-17 and older") inadvertently disabled KASAN in curve25519-hacl64.o +for GCC unconditionally because clang-min-version will always evaluate +to nothing for GCC. Add a check for CONFIG_CC_IS_CLANG to avoid applying +the workaround for GCC, which is only needed for clang-17 and older. + +Cc: stable@vger.kernel.org +Fixes: 2f13daee2a72 ("lib/crypto/curve25519-hacl64: Disable KASAN with clang-17 and older") +Signed-off-by: Nathan Chancellor +Acked-by: Ard Biesheuvel +Link: https://lore.kernel.org/r/20251103-curve25519-hacl64-fix-kasan-workaround-v2-1-ab581cbd8035@kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman +--- + lib/crypto/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/crypto/Makefile ++++ b/lib/crypto/Makefile +@@ -31,7 +31,7 @@ libcurve25519-generic-y := curve25519 + libcurve25519-generic-$(CONFIG_ARCH_SUPPORTS_INT128) := curve25519-hacl64.o + libcurve25519-generic-y += curve25519-generic.o + # clang versions prior to 18 may blow out the stack with KASAN +-ifeq ($(call clang-min-version, 180000),) ++ifeq ($(CONFIG_CC_IS_CLANG)_$(call clang-min-version, 180000),y_) + KASAN_SANITIZE_curve25519-hacl64.o := n + endif + diff --git a/queue-6.6/rtc-rx8025-fix-incorrect-register-reference.patch b/queue-6.6/rtc-rx8025-fix-incorrect-register-reference.patch new file mode 100644 index 0000000000..f42165f86f --- /dev/null +++ b/queue-6.6/rtc-rx8025-fix-incorrect-register-reference.patch @@ -0,0 +1,33 @@ +From 162f24cbb0f6ec596e7e9f3e91610d79dc805229 Mon Sep 17 00:00:00 2001 +From: Yuta Hayama +Date: Wed, 15 Oct 2025 12:07:05 +0900 +Subject: rtc: rx8025: fix incorrect register reference + +From: Yuta Hayama + +commit 162f24cbb0f6ec596e7e9f3e91610d79dc805229 upstream. + +This code is intended to operate on the CTRL1 register, but ctrl[1] is +actually CTRL2. Correctly, ctrl[0] is CTRL1. + +Signed-off-by: Yuta Hayama +Fixes: 71af91565052 ("rtc: rx8025: fix 12/24 hour mode detection on RX-8035") +Cc: stable@vger.kernel.org +Link: https://patch.msgid.link/eae5f479-5d28-4a37-859d-d54794e7628c@lineo.co.jp +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-rx8025.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/rtc/rtc-rx8025.c ++++ b/drivers/rtc/rtc-rx8025.c +@@ -316,7 +316,7 @@ static int rx8025_init_client(struct i2c + return hour_reg; + rx8025->is_24 = (hour_reg & RX8035_BIT_HOUR_1224); + } else { +- rx8025->is_24 = (ctrl[1] & RX8025_BIT_CTRL1_1224); ++ rx8025->is_24 = (ctrl[0] & RX8025_BIT_CTRL1_1224); + } + out: + return err; diff --git a/queue-6.6/scsi-ufs-ufs-pci-fix-s0ix-s3-for-intel-controllers.patch b/queue-6.6/scsi-ufs-ufs-pci-fix-s0ix-s3-for-intel-controllers.patch new file mode 100644 index 0000000000..5d196cb867 --- /dev/null +++ b/queue-6.6/scsi-ufs-ufs-pci-fix-s0ix-s3-for-intel-controllers.patch @@ -0,0 +1,138 @@ +From bb44826c3bdbf1fa3957008a04908f45e5666463 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Fri, 24 Oct 2025 11:59:15 +0300 +Subject: scsi: ufs: ufs-pci: Fix S0ix/S3 for Intel controllers + +From: Adrian Hunter + +commit bb44826c3bdbf1fa3957008a04908f45e5666463 upstream. + +Intel platforms with UFS, can support Suspend-to-Idle (S0ix) and +Suspend-to-RAM (S3). For S0ix the link state should be HIBERNATE. For +S3, state is lost, so the link state must be OFF. Driver policy, +expressed by spm_lvl, can be 3 (link HIBERNATE, device SLEEP) for S0ix +but must be changed to 5 (link OFF, device POWEROFF) for S3. + +Fix support for S0ix/S3 by switching spm_lvl as needed. During suspend +->prepare(), if the suspend target state is not Suspend-to-Idle, ensure +the spm_lvl is at least 5 to ensure that resume will be possible from +deep sleep states. During suspend ->complete(), restore the spm_lvl to +its original value that is suitable for S0ix. + +This fix is first needed in Intel Alder Lake based controllers. + +Fixes: 7dc9fb47bc9a ("scsi: ufs: ufs-pci: Add support for Intel ADL") +Cc: stable@vger.kernel.org +Signed-off-by: Adrian Hunter +Reviewed-by: Bart Van Assche +Link: https://patch.msgid.link/20251024085918.31825-2-adrian.hunter@intel.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ufs/host/ufshcd-pci.c | 67 ++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 65 insertions(+), 2 deletions(-) + +--- a/drivers/ufs/host/ufshcd-pci.c ++++ b/drivers/ufs/host/ufshcd-pci.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -34,6 +35,7 @@ struct intel_host { + u32 dsm_fns; + u32 active_ltr; + u32 idle_ltr; ++ int saved_spm_lvl; + struct dentry *debugfs_root; + struct gpio_desc *reset_gpio; + }; +@@ -375,6 +377,7 @@ static int ufs_intel_common_init(struct + host = devm_kzalloc(hba->dev, sizeof(*host), GFP_KERNEL); + if (!host) + return -ENOMEM; ++ host->saved_spm_lvl = -1; + ufshcd_set_variant(hba, host); + intel_dsm_init(host, hba->dev); + if (INTEL_DSM_SUPPORTED(host, RESET)) { +@@ -542,6 +545,66 @@ static int ufshcd_pci_restore(struct dev + + return ufshcd_system_resume(dev); + } ++ ++static int ufs_intel_suspend_prepare(struct device *dev) ++{ ++ struct ufs_hba *hba = dev_get_drvdata(dev); ++ struct intel_host *host = ufshcd_get_variant(hba); ++ int err; ++ ++ /* ++ * Only s2idle (S0ix) retains link state. Force power-off ++ * (UFS_PM_LVL_5) for any other case. ++ */ ++ if (pm_suspend_target_state != PM_SUSPEND_TO_IDLE && hba->spm_lvl < UFS_PM_LVL_5) { ++ host->saved_spm_lvl = hba->spm_lvl; ++ hba->spm_lvl = UFS_PM_LVL_5; ++ } ++ ++ err = ufshcd_suspend_prepare(dev); ++ ++ if (err < 0 && host->saved_spm_lvl != -1) { ++ hba->spm_lvl = host->saved_spm_lvl; ++ host->saved_spm_lvl = -1; ++ } ++ ++ return err; ++} ++ ++static void ufs_intel_resume_complete(struct device *dev) ++{ ++ struct ufs_hba *hba = dev_get_drvdata(dev); ++ struct intel_host *host = ufshcd_get_variant(hba); ++ ++ ufshcd_resume_complete(dev); ++ ++ if (host->saved_spm_lvl != -1) { ++ hba->spm_lvl = host->saved_spm_lvl; ++ host->saved_spm_lvl = -1; ++ } ++} ++ ++static int ufshcd_pci_suspend_prepare(struct device *dev) ++{ ++ struct ufs_hba *hba = dev_get_drvdata(dev); ++ ++ if (!strcmp(hba->vops->name, "intel-pci")) ++ return ufs_intel_suspend_prepare(dev); ++ ++ return ufshcd_suspend_prepare(dev); ++} ++ ++static void ufshcd_pci_resume_complete(struct device *dev) ++{ ++ struct ufs_hba *hba = dev_get_drvdata(dev); ++ ++ if (!strcmp(hba->vops->name, "intel-pci")) { ++ ufs_intel_resume_complete(dev); ++ return; ++ } ++ ++ ufshcd_resume_complete(dev); ++} + #endif + + /** +@@ -624,8 +687,8 @@ static const struct dev_pm_ops ufshcd_pc + .thaw = ufshcd_system_resume, + .poweroff = ufshcd_system_suspend, + .restore = ufshcd_pci_restore, +- .prepare = ufshcd_suspend_prepare, +- .complete = ufshcd_resume_complete, ++ .prepare = ufshcd_pci_suspend_prepare, ++ .complete = ufshcd_pci_resume_complete, + #endif + }; + diff --git a/queue-6.6/series b/queue-6.6/series index 78d96996e7..03065ed1f1 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -359,3 +359,13 @@ lan966x-fix-sleeping-in-atomic-context.patch net-bridge-fix-use-after-free-due-to-mst-port-state-.patch net-bridge-fix-mst-static-key-usage.patch tracing-fix-memory-leaks-in-create_field_var.patch +drm-amd-display-enable-mst-when-it-s-detected-but-yet-to-be-initialized.patch +drm-sched-fix-deadlock-in-drm_sched_entity_kill_jobs_cb.patch +bluetooth-mgmt-fix-oob-access-in-parse_adv_monitor_pattern.patch +rtc-rx8025-fix-incorrect-register-reference.patch +x86-microcode-amd-add-more-known-models-to-entry-sign-checking.patch +smb-client-validate-change-notify-buffer-before-copy.patch +smb-client-fix-potential-uaf-in-smb2_close_cached_fid.patch +virtio-net-fix-received-length-check-in-big-packets.patch +lib-crypto-curve25519-hacl64-fix-older-clang-kasan-workaround-for-gcc.patch +scsi-ufs-ufs-pci-fix-s0ix-s3-for-intel-controllers.patch diff --git a/queue-6.6/smb-client-fix-potential-uaf-in-smb2_close_cached_fid.patch b/queue-6.6/smb-client-fix-potential-uaf-in-smb2_close_cached_fid.patch new file mode 100644 index 0000000000..87d3cc9219 --- /dev/null +++ b/queue-6.6/smb-client-fix-potential-uaf-in-smb2_close_cached_fid.patch @@ -0,0 +1,95 @@ +From 734e99623c5b65bf2c03e35978a0b980ebc3c2f8 Mon Sep 17 00:00:00 2001 +From: Henrique Carvalho +Date: Mon, 3 Nov 2025 19:52:55 -0300 +Subject: smb: client: fix potential UAF in smb2_close_cached_fid() + +From: Henrique Carvalho + +commit 734e99623c5b65bf2c03e35978a0b980ebc3c2f8 upstream. + +find_or_create_cached_dir() could grab a new reference after kref_put() +had seen the refcount drop to zero but before cfid_list_lock is acquired +in smb2_close_cached_fid(), leading to use-after-free. + +Switch to kref_put_lock() so cfid_release() is called with +cfid_list_lock held, closing that gap. + +Fixes: ebe98f1447bb ("cifs: enable caching of directories for which a lease is held") +Cc: stable@vger.kernel.org +Reported-by: Jay Shin +Reviewed-by: Paulo Alcantara (Red Hat) +Signed-off-by: Henrique Carvalho +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/cached_dir.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/fs/smb/client/cached_dir.c ++++ b/fs/smb/client/cached_dir.c +@@ -362,11 +362,11 @@ out: + * lease. Release one here, and the second below. + */ + cfid->has_lease = false; +- kref_put(&cfid->refcount, smb2_close_cached_fid); ++ close_cached_dir(cfid); + } + spin_unlock(&cfids->cfid_list_lock); + +- kref_put(&cfid->refcount, smb2_close_cached_fid); ++ close_cached_dir(cfid); + } else { + *ret_cfid = cfid; + atomic_inc(&tcon->num_remote_opens); +@@ -406,12 +406,14 @@ int open_cached_dir_by_dentry(struct cif + + static void + smb2_close_cached_fid(struct kref *ref) ++__releases(&cfid->cfids->cfid_list_lock) + { + struct cached_fid *cfid = container_of(ref, struct cached_fid, + refcount); + int rc; + +- spin_lock(&cfid->cfids->cfid_list_lock); ++ lockdep_assert_held(&cfid->cfids->cfid_list_lock); ++ + if (cfid->on_list) { + list_del(&cfid->entry); + cfid->on_list = false; +@@ -446,7 +448,7 @@ void drop_cached_dir_by_name(const unsig + spin_lock(&cfid->cfids->cfid_list_lock); + if (cfid->has_lease) { + cfid->has_lease = false; +- kref_put(&cfid->refcount, smb2_close_cached_fid); ++ close_cached_dir(cfid); + } + spin_unlock(&cfid->cfids->cfid_list_lock); + close_cached_dir(cfid); +@@ -455,7 +457,7 @@ void drop_cached_dir_by_name(const unsig + + void close_cached_dir(struct cached_fid *cfid) + { +- kref_put(&cfid->refcount, smb2_close_cached_fid); ++ kref_put_lock(&cfid->refcount, smb2_close_cached_fid, &cfid->cfids->cfid_list_lock); + } + + /* +@@ -566,7 +568,7 @@ cached_dir_offload_close(struct work_str + + WARN_ON(cfid->on_list); + +- kref_put(&cfid->refcount, smb2_close_cached_fid); ++ close_cached_dir(cfid); + cifs_put_tcon(tcon, netfs_trace_tcon_ref_put_cached_close); + } + +@@ -743,7 +745,7 @@ static void cfids_laundromat_worker(stru + * Drop the ref-count from above, either the lease-ref (if there + * was one) or the extra one acquired. + */ +- kref_put(&cfid->refcount, smb2_close_cached_fid); ++ close_cached_dir(cfid); + } + queue_delayed_work(cfid_put_wq, &cfids->laundromat_work, + dir_cache_timeout * HZ); diff --git a/queue-6.6/smb-client-validate-change-notify-buffer-before-copy.patch b/queue-6.6/smb-client-validate-change-notify-buffer-before-copy.patch new file mode 100644 index 0000000000..62384cc9a4 --- /dev/null +++ b/queue-6.6/smb-client-validate-change-notify-buffer-before-copy.patch @@ -0,0 +1,43 @@ +From 4012abe8a78fbb8869634130024266eaef7081fe Mon Sep 17 00:00:00 2001 +From: Joshua Rogers +Date: Fri, 7 Nov 2025 00:09:37 +0800 +Subject: smb: client: validate change notify buffer before copy + +From: Joshua Rogers + +commit 4012abe8a78fbb8869634130024266eaef7081fe upstream. + +SMB2_change_notify called smb2_validate_iov() but ignored the return +code, then kmemdup()ed using server provided OutputBufferOffset/Length. + +Check the return of smb2_validate_iov() and bail out on error. + +Discovered with help from the ZeroPath security tooling. + +Signed-off-by: Joshua Rogers +Reviewed-by: Paulo Alcantara (Red Hat) +Cc: stable@vger.kernel.org +Fixes: e3e9463414f61 ("smb3: improve SMB3 change notification support") +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/client/smb2pdu.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/smb/client/smb2pdu.c ++++ b/fs/smb/client/smb2pdu.c +@@ -4068,9 +4068,12 @@ replay_again: + + smb_rsp = (struct smb2_change_notify_rsp *)rsp_iov.iov_base; + +- smb2_validate_iov(le16_to_cpu(smb_rsp->OutputBufferOffset), +- le32_to_cpu(smb_rsp->OutputBufferLength), &rsp_iov, ++ rc = smb2_validate_iov(le16_to_cpu(smb_rsp->OutputBufferOffset), ++ le32_to_cpu(smb_rsp->OutputBufferLength), ++ &rsp_iov, + sizeof(struct file_notify_information)); ++ if (rc) ++ goto cnotify_exit; + + *out_data = kmemdup((char *)smb_rsp + le16_to_cpu(smb_rsp->OutputBufferOffset), + le32_to_cpu(smb_rsp->OutputBufferLength), GFP_KERNEL); diff --git a/queue-6.6/virtio-net-fix-received-length-check-in-big-packets.patch b/queue-6.6/virtio-net-fix-received-length-check-in-big-packets.patch new file mode 100644 index 0000000000..764010903c --- /dev/null +++ b/queue-6.6/virtio-net-fix-received-length-check-in-big-packets.patch @@ -0,0 +1,79 @@ +From 0c716703965ffc5ef4311b65cb5d84a703784717 Mon Sep 17 00:00:00 2001 +From: Bui Quang Minh +Date: Thu, 30 Oct 2025 21:44:38 +0700 +Subject: virtio-net: fix received length check in big packets + +From: Bui Quang Minh + +commit 0c716703965ffc5ef4311b65cb5d84a703784717 upstream. + +Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length +for big packets"), when guest gso is off, the allocated size for big +packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on +negotiated MTU. The number of allocated frags for big packets is stored +in vi->big_packets_num_skbfrags. + +Because the host announced buffer length can be malicious (e.g. the host +vhost_net driver's get_rx_bufs is modified to announce incorrect +length), we need a check in virtio_net receive path. Currently, the +check is not adapted to the new change which can lead to NULL page +pointer dereference in the below while loop when receiving length that +is larger than the allocated one. + +This commit fixes the received length check corresponding to the new +change. + +Fixes: 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets") +Cc: stable@vger.kernel.org +Signed-off-by: Bui Quang Minh +Reviewed-by: Xuan Zhuo +Tested-by: Lei Yang +Link: https://patch.msgid.link/20251030144438.7582-1-minhquangbui99@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 25 ++++++++++++------------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -591,17 +591,6 @@ static struct sk_buff *page_to_skb(struc + goto ok; + } + +- /* +- * Verify that we can indeed put this data into a skb. +- * This is here to handle cases when the device erroneously +- * tries to receive more than is possible. This is usually +- * the case of a broken device. +- */ +- if (unlikely(len > MAX_SKB_FRAGS * PAGE_SIZE)) { +- net_dbg_ratelimited("%s: too much data\n", skb->dev->name); +- dev_kfree_skb(skb); +- return NULL; +- } + BUG_ON(offset >= PAGE_SIZE); + while (len) { + unsigned int frag_size = min((unsigned)PAGE_SIZE - offset, len); +@@ -1344,9 +1333,19 @@ static struct sk_buff *receive_big(struc + struct virtnet_rq_stats *stats) + { + struct page *page = buf; +- struct sk_buff *skb = +- page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0); ++ struct sk_buff *skb; ++ ++ /* Make sure that len does not exceed the size allocated in ++ * add_recvbuf_big. ++ */ ++ if (unlikely(len > (vi->big_packets_num_skbfrags + 1) * PAGE_SIZE)) { ++ pr_debug("%s: rx error: len %u exceeds allocated size %lu\n", ++ dev->name, len, ++ (vi->big_packets_num_skbfrags + 1) * PAGE_SIZE); ++ goto err; ++ } + ++ skb = page_to_skb(vi, rq, page, 0, len, PAGE_SIZE, 0); + u64_stats_add(&stats->bytes, len - vi->hdr_len); + if (unlikely(!skb)) + goto err; diff --git a/queue-6.6/x86-microcode-amd-add-more-known-models-to-entry-sign-checking.patch b/queue-6.6/x86-microcode-amd-add-more-known-models-to-entry-sign-checking.patch new file mode 100644 index 0000000000..2c44458c9e --- /dev/null +++ b/queue-6.6/x86-microcode-amd-add-more-known-models-to-entry-sign-checking.patch @@ -0,0 +1,36 @@ +From d23550efc6800841b4d1639784afaebdea946ae0 Mon Sep 17 00:00:00 2001 +From: "Mario Limonciello (AMD)" +Date: Thu, 6 Nov 2025 12:28:54 -0600 +Subject: x86/microcode/AMD: Add more known models to entry sign checking + +From: Mario Limonciello (AMD) + +commit d23550efc6800841b4d1639784afaebdea946ae0 upstream. + +Two Zen5 systems are missing from need_sha_check(). Add them. + +Fixes: 50cef76d5cb0 ("x86/microcode/AMD: Load only SHA256-checksummed patches") +Signed-off-by: Mario Limonciello (AMD) +Signed-off-by: Borislav Petkov (AMD) +Cc: +Link: https://patch.msgid.link/20251106182904.4143757-1-superm1@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/microcode/amd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kernel/cpu/microcode/amd.c ++++ b/arch/x86/kernel/cpu/microcode/amd.c +@@ -210,10 +210,12 @@ static bool need_sha_check(u32 cur_rev) + case 0xaa001: return cur_rev <= 0xaa00116; break; + case 0xaa002: return cur_rev <= 0xaa00218; break; + case 0xb0021: return cur_rev <= 0xb002146; break; ++ case 0xb0081: return cur_rev <= 0xb008111; break; + case 0xb1010: return cur_rev <= 0xb101046; break; + case 0xb2040: return cur_rev <= 0xb204031; break; + case 0xb4040: return cur_rev <= 0xb404031; break; + case 0xb6000: return cur_rev <= 0xb600031; break; ++ case 0xb6080: return cur_rev <= 0xb608031; break; + case 0xb7000: return cur_rev <= 0xb700031; break; + default: break; + } -- 2.47.3